Jeetendra Karki (ITS 360)
Assignment: p124-128, Answer any two questions of “What would you do?” and answer Critical thinking questions of Two Cases.
What would you do Questions?
1. Defining the problem: the owner calls me when she received an anonymous call demanding payment of $10,000 or the company customers will be encrypted and make inaccessible by a logic bomb that has been planted in the billing system
2. Identifying alternatives: I would say that first we have backup of all database that our company has both in cloud and in-storage. And we will connect with the authorities for better case support on this on to find out if any other organization have been a victim of such a threat.
3. Choosing the alternative: Choosing this alternate will help cause, this sounds like scam and this is not something we have to worry about because we have security and firewall in the cloud storage and in out network.
4. Implementing the Decision: By Implementing this decision, we won’t pay anyone any money like. This will ensure that if that’s real, they will eventually be caught from back tracing.
5. Evaluation: we have firewall and network security and will tell my employees right away to go through the system and check anything that is suspicious. Lastly it is not something to be worried about as this is just be another spam call that’s being targeted to vast population’s organizations.
Summary of the five-step decision making process is; As an IT manager of small business, the owner calls me when she received an anonymous call demanding payment of $10,000 or the company customers will be encrypted and make inaccessible by a logic bomb that has been planted in the billing system, I would say that first we have backup of all database that our company has both in cloud and storage which has high security, we have firewall and network security and will tell my employees right away to go through the system and check anything that is suspicious. Lastly it is not something to be worried about as this is just be another spam call that’s being targeted to vast population’s organizations.
Answer4: Summary of the five-step decision making process is; My classmates is telling be that he has created a blended threat which he plans to test it against the University computer system this weekend, he’s worked all semester with that project. This is not ok when he is talking about testing it against the university computer, this will jeopardize the whole computer system in the university causing a chaos which will be very sophisticated as it will have malicious code, affect devices on network to all the student and staff, more or less he will get caught and will face serious consequences. This is really serious issue and I will warn him not to do this and will eventually have the faculty involved in this. I know he is my friend, but he is trying to do something against the university where I study and use the computers too.
Critical Thinking Questions of two cases:
Case 1: Fair play turns to a managed Security Service Provider
Answer1: MSSP offered Fairplay’s a more managed network security to comply with the PCI DSS that can generate with payment credit card issues. I this this is a good thing to implement at low cost and I don’t see any potential drawback of this approach, but there is one drawback that they access to companies insights. MSSP is a reputed and stable organization, that has certified experts and advanced tech. trusting them is right.
Answer2: As a member of Fairplay’s management team, we know that no matter how much better the security get, there is always a key for it that can be hacked in some ways. PCI compliance is definitely important, the only thing we have to make sure is that when we implement this, we have to make sure our hardware, software, network security, firewalls, updates are latest and the greatest with updates and upgrades done to fix any potential loop holes. Secondly we have to make sure the IT personals are aware of all the changes and are trained for it.
Answer3: The 3.0 update resolves this by helping to establish a "culture of security" through educating organizations about liability, accountability and fraud protection. 3.0 includes a new set of best practices for implementation to help make PCI compliance an integral part of every business's operations. Under PCI 2.0, businesses could get away with lackadaisical penetration testing of their data security systems and technically qualify as compliant. 3.0 adds more rigorous requirements to ensure merchants scan for vulnerabilities in a manner more consistent with the intended spirit of these mandated penetration tests.
Case 2: Sony’s Response to North Korea’s Cyberattack
Answer1: Sony’s response to the attack wasn’t the best and appropriate as they should have released the movie on the planned date and avoided giving it to the terrorist and should have given to them under pressure at any cost.
Answer2: I think the US government and Sony should have sort out and find out who was involved as this can be traced. They should have replied the attackers that they will be traced and will be in big troubles and with their threat they will have serious consequences.
Answer3: Yes the government and the organization should have the authority and access data to find a way to keep the data secured and under strong firewall and network team. The government definitely should have some limitation on what they can and cannot access but they should be more focused on maintain the security.